[Cfrg] misuse resistant crypto (was: Re: Fwd: Draft NIST Special Publication 800-38F, Recommendation for Block Cipher Modes of Operation: Methods for Key Wrapping)

David McGrew <mcgrew@cisco.com> Fri, 19 August 2011 21:22 UTC

Return-Path: <mcgrew@cisco.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C2E7411E80E5 for <cfrg@ietfa.amsl.com>; Fri, 19 Aug 2011 14:22:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.693
X-Spam-Level:
X-Spam-Status: No, score=-102.693 tagged_above=-999 required=5 tests=[AWL=-0.094, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RllDppTROveO for <cfrg@ietfa.amsl.com>; Fri, 19 Aug 2011 14:22:08 -0700 (PDT)
Received: from rcdn-iport-9.cisco.com (rcdn-iport-9.cisco.com [173.37.86.80]) by ietfa.amsl.com (Postfix) with ESMTP id EB7FB21F8BBA for <cfrg@irtf.org>; Fri, 19 Aug 2011 14:22:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=mcgrew@cisco.com; l=3127; q=dns/txt; s=iport; t=1313788986; x=1314998586; h=from:to:in-reply-to:subject:references:message-id: content-transfer-encoding:mime-version:date:cc; bh=DsZUbm2AFwU3i36JVqc7RrX4uLYvy3NQ95Kt4t4VyYY=; b=Br9I4dInEfK5oZGxUokChuGUxxbap9vPzx7tkoLMlZtMGip6kaBVFgqh WXEr1dFb+hkqvzOYkw6m+QJqUy/4eT29SrmgUxDxDPX5WlIVajLJXAb9g PivsjMsTI5wsYhb7USH4wp7Bw7Z+GfoBz8kD04KOIuFRBFpgNpHiMLnh+ 8=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: Av8EACLTTk6rRDoJ/2dsb2JhbABBqA53gUABAQEBAgEBAQEPASUCNAsQBRQDAwECASMLJygIBhMJCBGHTwSZdwGeboVpXwSHYIszkRU
X-IronPort-AV: E=Sophos;i="4.68,252,1312156800"; d="scan'208";a="14822099"
Received: from mtv-core-4.cisco.com ([171.68.58.9]) by rcdn-iport-9.cisco.com with ESMTP; 19 Aug 2011 21:23:04 +0000
Received: from stealth-10-32-254-212.cisco.com (stealth-10-32-254-212.cisco.com [10.32.254.212]) by mtv-core-4.cisco.com (8.14.3/8.14.3) with ESMTP id p7JLN2RH022273; Fri, 19 Aug 2011 21:23:03 GMT
From: David McGrew <mcgrew@cisco.com>
To: "Dan Harkins" <dharkins@lounge.org>
In-Reply-To: <6704bee4d7ea9ea3304b406af36bad6a.squirrel@www.trepanning.net>
X-Priority: 3 (Normal)
References: <1313422619590.788988.8998079.bulletin.csrc.nist@service.govdelivery.com> <AA2849B6-92F6-4607-B014-1C67E0BD0318@cisco.com> <6704bee4d7ea9ea3304b406af36bad6a.squirrel@www.trepanning.net>
Message-Id: <199C6B3D-B5B1-4778-BECA-736CA3813E1E@cisco.com>
Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (Apple Message framework v936)
Date: Fri, 19 Aug 2011 14:23:02 -0700
X-Mailer: Apple Mail (2.936)
Cc: cfrg@irtf.org
Subject: [Cfrg] misuse resistant crypto (was: Re: Fwd: Draft NIST Special Publication 800-38F, Recommendation for Block Cipher Modes of Operation: Methods for Key Wrapping)
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Aug 2011 21:22:09 -0000

Hi Dan,

On Aug 15, 2011, at 10:05 AM, Dan Harkins wrote:

>
>  Hi David,
>
> On Mon, August 15, 2011 9:30 am, David McGrew wrote:
>> FYI - NIST is requesting feedback on the draft specification for Key
>> Wrapping.  This will probably be of interest to implementers of RFCs
>> 3394 and 5649.
>
>  ...and RFC 5297 too!
>
>> Comments on the draft should be sent directly to NIST, of course.
>> Discussion about the use of key wrapping in Internet standards is
>> welcome on the CFRG list.
>
>  SIV is being used in the just-ratified 802.11s amendment for "mesh
> networking" to do key wrapping. The reason it was chosen is its  
> ability
> to bind additional data to the wrapped key-- the message itself is
> authenticated and bound to the key such that the key cannot be  
> unwrapped
> if the message it is being sent in has been tampered with.
>
>  I hate to sound like a broken record but SIV really is a swiss army
> knife for crypto protocol design. It slices, it dices, it's a misuse
> resistant AEAD scheme, it wraps arbitrary-length keys (no padding  
> req'd)
> and binds additional data to the wrapped key. And it's provably  
> secure.
>
>  Dan.

I was recently having an email conversation with Tom Shrimpton on the  
same subject.  I think it would make sense to analyze and document the  
need for misuse-resistant crypto, by reviewing failure modes, problem  
areas, and whatever actual case studies of misuse we can come up  
with.  (It sounds like Peter G. has several that we could use.)

I think it would be a useful approach to consider the need for misuse- 
resistant crypto in a way that is independent from a particular  
algorithm proposal, because it might convince more peole of the  
importance of the issue if we can document the need and the  
requirements.   This exercise might also uncover failure modes that we  
haven't yet anticipated, or it might help us understand which failure  
modes are the most common or the most damaging.  What do you think -  
does that sound like something worth doing?

David

>
>> David
>>
>> Begin forwarded message:
>>
>>> From: NIST Computer Security Resource Center
>>> <csrc.nist@service.govdelivery.com
>>>>
>>> Date: August 15, 2011 8:37:36 AM PDT
>>> To: nist-interest@cisco.com
>>> Subject: Draft NIST Special Publication 800-38F, Recommendation for
>>> Block Cipher Modes of Operation: Methods for Key Wrapping
>>> Reply-To: NIST Computer Security Resource Center
>>> <csrc.nist@service.govdelivery.com
>>>>
>>>
>>> Draft Special Publication 800-38F
>>>
>>> NIST is pleased to announce that the Draft NIST Special Publication
>>> 800-38F, Recommendation for Block Cipher Modes of Operation: Methods
>>> for Key Wrapping, is available for public comment.
>>>
>>> For more informaiton regarding this draft please visit the CSRC
>>> Drafts page at:
>>> http://csrc.nist.gov/publications/PubsDrafts.html#SP-800-38-F
>>>
>>>
>>
>> _______________________________________________
>> Cfrg mailing list
>> Cfrg@irtf.org
>> http://www.irtf.org/mailman/listinfo/cfrg
>>
>
>